Linux Malware Targets 520 Docker APIs for Privacy Coin Mining

A new type of Linux malware is actively targeting unprotected Docker infrastructure worldwide, converting exposed servers into nodes of the Dero decentralized network for privacy coin mining. The malware exploits the exposed Docker API through port 2375, deploying two Golang-based implants. One of these implants disguises itself as the legitimate web server software nginx, while the other, named "cloud," is responsible for mining. Infected nodes autonomously scan the internet for new targets post-infection and deploy compromised containers without the need for a central control server.

As of early May, over 520 Docker APIs globally were openly exposed through port 2375, making them potential targets for this attack. Research indicates that the wallets and node infrastructure used in this attack are the same as those in attacks targeting Kubernetes clusters in 2023 and 2024. This suggests a coordinated effort by the same group of attackers, who have been refining their methods over time.

The self-spreading nature of this malware poses a significant threat to the security of unprotected Docker infrastructure. The fact that infected nodes can autonomously scan for and infect new targets means that the malware can spread rapidly, potentially compromising a large number of servers in a short period of time. This highlights the importance of securing Docker APIs and other exposed services to prevent such attacks.

The use of Golang-based implants and the disguise of one implant as nginx software indicates a level of sophistication in the malware's design. This suggests that the attackers have a good understanding of the target infrastructure and are able to exploit vulnerabilities effectively. The fact that the malware is targeting the Dero decentralized network for privacy coin mining also indicates that the attackers are motivated by financial gain.

The similarity between this attack and previous attacks on Kubernetes clusters suggests that the same group of attackers may be responsible for both. This raises concerns about the potential for future attacks on other types of infrastructure, as the attackers continue to refine their methods and expand their targets. It is important for organizations to remain vigilant and take steps to secure their infrastructure against such threats.